fix: Handle kms_key_id for secondary global replication group with at_rest_encryption#71
Closed
PadminiSahoo wants to merge 1 commit intoterraform-aws-modules:masterfrom
Closed
fix: Handle kms_key_id for secondary global replication group with at_rest_encryption#71PadminiSahoo wants to merge 1 commit intoterraform-aws-modules:masterfrom
PadminiSahoo wants to merge 1 commit intoterraform-aws-modules:masterfrom
Conversation
…group When creating a secondary replication group in a Global Datastore with CMK enabled, terraform plan fails with: Error: Null condition kms_key_id = var.at_rest_encryption_enabled ? var.kms_key_arn : null var.at_rest_encryption_enabled is null ## Root Cause In main.tf line 169, kms_key_id uses var.at_rest_encryption_enabled as a boolean condition. For secondary replication groups, this variable must be null (AWS rejects AtRestEncryptionEnabled when global_replication_group_id is set), so the ternary condition itself errors. ## Expected Behavior When create_secondary_global_replication_group = true, kms_key_id should be set directly from var.kms_key_arn without checking at_rest_encryption_enabled.
PadminiSahoo
changed the title
PadminiSahoo
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug Description
When creating a secondary replication group in a Global Datastore with CMK
enabled, terraform plan fails with:
Error: Null condition
kms_key_id = var.at_rest_encryption_enabled ? var.kms_key_arn : null
var.at_rest_encryption_enabled is null
Root Cause
In main.tf line 169, kms_key_id uses var.at_rest_encryption_enabled as a
boolean condition. For secondary replication groups, this variable must be null
(AWS rejects AtRestEncryptionEnabled when global_replication_group_id is set),
so the ternary condition itself errors.
Expected Behavior
When create_secondary_global_replication_group = true, kms_key_id should
be set directly from var.kms_key_arn without checking
at_rest_encryption_enabled.
Suggested Fix
kms_key_id = var.create_secondary_global_replication_group ? var.kms_key_arn : (
var.at_rest_encryption_enabled ? var.kms_key_arn : null
)
Steps to Reproduce
at_rest_encryption_enabled = true)
global_replication_group_id set, kms_key_arn set